The detection identifies potential espionage activity by the Casper French malware, which is leveraging a malicious x86 payload to exfiltrate data through a compromised URL. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss occurs.
YARA Rule
rule Casper_Backdoor_x86
{
meta:
description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
author = "Florian Roth"
reference = "http://goo.gl/VRJNLo"
date = "2015/03/05"
hash = "f4c39eddef1c7d99283c7303c1835e99d8e498b0"
score = 80
strings:
$s1 = "\"svchost.exe\"" fullword wide
$s2 = "firefox.exe" fullword ascii
$s3 = "\"Host Process for Windows Services\"" fullword wide
$x1 = "\\Users\\*" fullword ascii
$x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
$x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
$x4 = "\\Documents and Settings\\*" fullword ascii
$y1 = "%s; %S=%S" fullword wide
$y2 = "%s; %s=%s" fullword ascii
$y3 = "Cookie: %s=%s" fullword ascii
$y4 = "http://%S:%d" fullword wide
$z1 = "http://google.com/" fullword ascii
$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
$z3 = "Operating System\"" fullword wide
condition:
( all of ($s*) ) or ( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
}This YARA rule can be deployed in the following contexts:
This rule contains 14 string patterns in its detection logic.
Scenario: Legitimate System Update via Casper (Jamf)
Description: A Casper (Jamf) policy is pushing a system update that includes a script or executable with a similar name to the malware.
Filter/Exclusion: Check the process.name field for “jamf” or “casper” in the process tree. Exclude processes initiated by the Jamf agent or scheduled via Casper policies.
Scenario: Scheduled Job Running PowerShell Script
Description: A scheduled job runs a PowerShell script that temporarily creates a file with a name similar to the malware’s payload.
Filter/Exclusion: Filter by process.name containing “powershell.exe” and check the process.parent.name for “schtasks.exe” or “task scheduler”. Exclude scripts known to be part of legitimate maintenance tasks.
Scenario: Admin Task Using PsExec to Deploy Software
Description: An administrator uses PsExec to deploy a legitimate application across the network, which may create a temporary file with a name matching the malware’s payload.
Filter/Exclusion: Filter by process.name containing “psexec.exe” and check the process.parent.name for “cmd.exe” or “explorer.exe”. Exclude processes initiated by known admin tools used for deployment.
Scenario: Antivirus Quarantine Process
Description: A legitimate antivirus tool quarantines a file, temporarily renaming it to a suspicious-looking name that matches the malware’s payload.
Filter/Exclusion: Check the process.name for “avgnt.exe”, “mcafee”, or similar antivirus process names. Exclude processes with “quarantine” or “safe” in their command line arguments.
Scenario: Network Monitoring Tool Generating Traffic
Description: A network monitoring tool (e.g., Wireshark, PRTG) generates traffic